Archive

Data not being indexed / inputs.conf

Communicator

Hi,

I have an issue with data not being indexed as expected. I have created a sourcetype and an indexed as I would expect. I have created a serverclass for my both servers app1 + app2 and I have the forwarder installed on both and all the same apps deployed.

My index.conf looks like this:

[monitor:///wmosapp/scope/ATL/WMS/profile-root/prodatlwms/log/scpp-prodatlwms.log] I do see data indexed for this log
sourcetype = wms
index = wms

ignoreOlderThan = 7d

disabled = false
host = app1.corp.xxx.com

[monitor:///wmosapp/scope/ATL/WMS/profile-root/atlwms/log/scpp-prodatl_wms.log] I do see data indexed for this log
sourcetype = wms
index = wms

ignoreOlderThan = 7d

disabled = false
host = app2.corp.xxx.com

[monitor:///wmosapp/scope/DEN/WMS/profile-root/denwms/log/scpp-denwms_prod.log] I do not see data indexed for this log
sourcetype = wms
index = wms

ignoreOlderThan = 7d

disabled = false
host = app1.corp.usa.com

[monitor:///wmosapp/scope/DEN/WMS/profile-root/denwms/log/scpp-denwms_prod.log] I see data indexed for this log
sourcetype = wms
index = wms

ignoreOlderThan = 7d

disabled = false
host = app2.corp.xxx.com

[monitor:///wmosapp/scope/NEW/WMS/profile-root/newwms/log/scpp-newwms.log] I do not see data indexed for this log
sourcetype = wms
index = wms

ignoreOlderThan = 7d

disabled = false
host = app1.corp.xxx.com

[monitor:///wmosapp/scope/NEW/WMS/profile-root/newwms/log/scpp-newwms.log] I see data indexed for this log
sourcetype = wms
index = wms

ignoreOlderThan = 7d

disabled = false
host = app2.corp.xxx.com

Pretty much I only see data being indexed from one of app1 files but all my app2 files. I checked the path and they are correct.

Thank you very much for your help,

Oliver

Tags (1)
0 Karma
1 Solution

Communicator

Oliver you mentioned -> "My index.conf looks like this:", I am assuming you meant "inputs.conf"

Can you also post your serverclass.conf for this config.

You dont have to specify host=... in the inputs.conf unless the source of the data is from a different server then specified and you want to override the default hostname.

View solution in original post

Communicator

Oliver you mentioned -> "My index.conf looks like this:", I am assuming you meant "inputs.conf"

Can you also post your serverclass.conf for this config.

You dont have to specify host=... in the inputs.conf unless the source of the data is from a different server then specified and you want to override the default hostname.

View solution in original post

Influencer

Your inputs.conf configuration looks good. You restarted the UF (or Splunk) after updating inputs.conf, right? If so, the next step would be to take a look at the log file and see if there is anything related to the inputs being ignored. Splunk will tell you most of the time why it ignores an input. Try restarting Splunk and doing a tail -f $SPLUNK_HOME/var/log/splunk/splunkd.log

Sometimes you also have to wait a bit before data will show up on the indexer/search head (usually due to large files), but I would check the log first. You can also search index=_internal sourcetype=splunkd if you don't want to use tail.

Communicator

Thank you very much for your quick answer, I did what you said and I think the found the issue somewhere else.

When I actually look at the outputs, it takes output from app1 but it shows the host as app2:

alt text

I double checked and verfied that the log files is acutally from app1 but the host is being displayed as app2. Any idea where I can fix this?

Oliver

0 Karma

Communicator

Oliver you mentioned -> "My index.conf looks like this:", I am assuming you meant "inputs.conf"

Can you also post your serverclass.conf for this config.

You dont have to specify host=... in the inputs.conf unless the source of the data is from a different server then specified and you want to override the default hostname.

Communicator

Thank you, I meant inputs.conf , my bad.

I did remove all the host= but now it is not indexing any data any more at all.

I do not have a serverclass.conf on my forwarders, which app would I need to deploy to get this.

0 Karma

Communicator

Nevermind, I restarted the whole SPLUNK and it works now. Thanks!!

0 Karma

Communicator

I added my comments as new answer. Can you please accept it as correct answer and if possible award points. Thanks,

0 Karma